The target audience for this is mostly network engineers with interet to look at their DFZ traffic, and where it's going. If you are using nfsen, as-stats, ELK or even kentik, arbor, this might of use for you.
What's Akvorado ?
As they say on their website ( https://www.akvorado.net ) : flow collector, enricher and visualizer. Look this website so you get an idea of what it does.
Why this post ?
I tried to install it, and struggled with the configuration. TL,DR; I was thinking too much in the old way. Disscussing with Vincent, he explained me, and I had the illumination that it was really easy.
Further more, I mentionned the tool to some other friends, and it seems they had exaclty the same problems I had. So here is what's needed to run this tool.
Initial install
Requirements :
Simply follow the quick start guide. Since we discussed with Vincent, it seems that the documentation was updated to keep it simple. Follow the steps up to point 3 of the quick start, and I'll comment my config file in the next section.
!! Assuming you have uncompressed the quickstart.tgz in the /opt/akvorado directory, you could use my small script, that's available here, that does the following : - Moves to the akvorado directory (/opt/akvorado) - Removes the demo parameter from the config files - Adds the SNMP community assuming you're not using public - Insert a sampling rate - modifies the export/imort filters according to my Infra
Akvorado Configuration
I copied the running config file we use at AS6893, obfuscating some private stuff.
Our config file is /opt/akvorado.yaml . Since some time, configuration has been moved into 4 files into the config/ directories, things are much more clear like that.
Here we added our internal private network ASN. The publicly known ASNs are automatically populated, you can however change their name there. Same for the networks, no need to specify them, maybe you need to name your internal, non public ones.
clickhouse:
orchestrator-url: http://akvorado-orchestrator:8080
kafka:
consumers: 4
servers:
- clickhouse:9000
asns:
6893: Saitis Networks
41882: RomandIX
65100: Some internal ASN 0
65101: Some internal ASN 1
65102: Some internal ASN 2
networks:
62.220.128.0/19:
name: saitis
role: network
Here In inlet.yaml, we modified :
- the asn and geo database
- the snmp community
- inserted an override-sampling-rate for my sampling ratio
- the regular expression to classify our traffic.
There is 2 default type of interface classification : External and unknown. In this case, we added a section for internal traffic. The external expression matches interface that have transit or peering as the beggining, ignoring case. The filter on description is used to have nice results on the graph. The internal matches interfaces starting with core or cust. All the traffic that doesn't match any of these falls into the unknown category.
kafka:
compression-codec: zstd
geoip:
optional: true
asn-database: /usr/share/GeoIP/GeoLite2-ASN.mmdb
geo-database: /usr/share/GeoIP/GeoLite2-Country.mmdb
snmp:
workers: 10
::/0: My_snmp_roxx_poney
flow:
inputs:
- type: udp
decoder: netflow
listen: 0.0.0.0:2055
workers: 6
receive-buffer: 10485760
- type: udp
decoder: sflow
listen: 0.0.0.0:6343
workers: 6
receive-buffer: 10485760
core:
override-sampling-rate: 10
workers: 6
exporter-classifiers:
- ClassifySiteRegex(Exporter.Name, "^[^-]+-([^-]+)-", "$1")
- ClassifyRegionRegex(Exporter.Name, "^([^-])+-[^-]+-", "$1")
- ClassifyRole("ar")
interface-classifiers:
- |
ClassifyConnectivityRegex(Interface.Description, "^(?i)(transit|peering):? ", "$1") &&
ClassifyProviderRegex(Interface.Description, "^\\S+?\\s(?:to )?(\\S+)", "$1") &&
ClassifyExternal()
- ClassifyConnectivityRegex(Interface.Description, "^(?i)(cust|core):? ", "$1") &&
ClassifyInternal()
- ClassifyInternal()
And you are done on the Akvorado side. You can remove everything that is after this section. if you used the script, it should have done that by itself
You can now start your docker, and enjoy your data collection.
As usual, it's the hard part to know exactly before setting up your storage. It all depends on the amout of flows you get.
For reference, we are collecting data for a bit more than a month now (42 days), we export ipfix, sample at 1/1024, and we used 14G of storage. We have 35 flows/s from 2 exporters. As I understand, retention can be tuned, and the default looked quite sane from what Vincent told me.
My config file, without my comments, is 69 lines (nice).
I modified about 20 lines, because we did some fancy filtering with Vincent.
I'll publish my Swinog's Slides as soon as the event is done ;)
I'm Will van Gulik, associate and network architect/engineer at Saitis / Nimag networks Sarl, we are operating AS6893, AS41882 and I'm experimenting on AS2613. I'm also a co-working group Chair of Ripe's Connect Working group.
This page was generated using Markdown and Lowdown by Kristaps Dzonsons